Cracking Tezos ICO passwords on OSX

There are many great articles about cracking your Tezos ICO password using John The Ripper and many other tools, unfortunately most of them are focused on Linux operating systems. Some users are uncomfortable, do not have easy access, or are completely unfamiliar with it. They want to use OSX. You can and this guide will help you!

This guide will help you setup your OSX machine to do everything the Linux guides can do!

The first step is to download and install the tools. There are two things that you will need. Homebrew and John the Ripper.

For reference I am using OSX 10.14.3 (macOS Mojave)

Step 1: Install Homebrew

Homebrew is a tool that allows you to do most of the things a Linux box can do. It is needed to compile John The Ripper.

Let’s start the installation process by opening up a Terminal window.

When the terminal window opens you should see a command prompt like this

Now we are going to copy and paste the following line from the Homebrew website to the terminal window.

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Copy from the Homebrew website and paste it into the terminal window

Press Enter and the Homebrew Installation process will begin.

Depending on your setup, your experience may be slightly different, but you want to just select the default options.

Homebrew needs Xcode command line tools to operate. Press Enter to install the tools

Homebrew is asking that I should install Xcode Command Line Tools. Press Enter

If it asks you for your password, type it in and press Enter. (this is the password for your machine)

At this point the Homebrew Installation process should finish.

Great! At this point Homebrew is installed. Now using Homebrew we are going to install the compiler and necessary libraries for John The Ripper.

In the terminal window type in the following:

brew install gcc openssl

Press Enter.

Great! You have installed gcc (the compiler) and openssl.

OK, we are going to do a quick check to make sure your system is properly configured.

Type in the following command and press Enter.

echo $PATH

You should see something similar to this:

We are checking to make sure that /usr/local/bin precedes /usr/bin

OK we just have one more tool to install. We are going to install Python 3.7 or higher. In the terminal window type the following command and press enter.

brew install python

At this point you should have python installed. Apple includes version 2.7 by default, but we are going to need version 3.7. To use version 3.7 we need to use python3 in the command line.

You can test the version out to check for yourself by typing in the following lines

python --version
python3 --version

We are going to be using python3

Great!!! You now have all the tools needed to setup and run John The Ripper.

Step 2: Install John The Ripper

We are going to download and install John The Ripper. To do this we need to get the source code and compile it. Don’t worry, it is very easy to do!

Let’s start by getting the source code.

Go to the GitHub Site for John The Ripper. We are going to need at least 1.9.0 “bleeding-jumbo”. To get it go to this site:

magnumripper/JohnTheRipper

When you get there click on the green button that says “Clone or download”, then click on “Download ZIP”

Go to your Downloads folder you should see the file or extracted folder. If the file is not extracted, then extract it.

Extracted Folder in the Downloads folder

If you want you can move it or rename it. For the purposes of this article I am going to leave it here.

Now in the terminal window we want to navigate to the “src” folder. Let’s do this in finder first.

Double click on “JohnTheRipper-bleeding-jumbo”

Great, you are here.

In the terminal window you can do one of the two things. You can either navigate to the directory (using cd and the directory name) or you can get some assistance from finder. Let’s do it the finder way.

In the terminal window type in “cd ”. THERE IS A SPACE AFTER cd.

Making sure there is a space after cd , drag and drop the src folder from finder into the terminal window.

Great the line should say something like

cd /users/<user name>/Downloads/JohnTheRipper-bleeding-jumbo/src

Press Enter

You have navigated to the src directory.

Alright almost there just two more simple steps, configuring and compiling.

Now we are going to configure the compile process for John The Ripper.

Type in the following and press enter

./configure

Configure has finished

Now we are going to compile John The Ripper. Type in the following and press enter.

make -s clean && make -sj4

The make (compile) process will take a long time and there will not be much visual feedback. Then it is complete you should see “Make process completed”

Awesome! At this point we are almost done. To run John The Ripper, you need to be in the “run” directory. Right now we are in the “src” directory. So we need to navigate to the “run” directory. You can either type in “cd ” with the space at the end then drag and drop the run folder into the terminal folder. Or we can navigate using the command line.

To navigate using the command line type in the following lines pressing enter after each one.

cd ..
cd run

The first line brought us back a single folder, and the second line put us in the “run” folder. If you run into an issue or get confused, you can always type in “cd ” with the space at the end and drag and drop the “run” folder.

Step 3: Putting your info into John The Ripper

At this point I am assuming that everything is setup. If you are have not already navigated to the “run” directory, let’s do that now.

In a terminal window type in the following line replacing your username as appropriate:

cd /users/<user name>/Downloads/JohnTheRipper-bleeding-jumbo/run

We want to run the tezos2john.py python script. This will set up the file that John The Ripper needs to start trying to crack passwords. We want to type in a command that looks similar to this:

python3 tezos2john.py 'seed words' 'email address' 'public address' > hashes 

The first word shown is python3 and it is the python program that runs the next word tezos2john.py which is the python script. The next part is actually three parts inside of single quotations, you have the seed words. NEVER GIVE SEED WORDS TO ANYONE FOR ANY REASON! NEVER GIVE THE HASHES FILE TO ANYONE! Next also in single quotations you have your email address. Please ensure that this has the same capitalization as shown on your print out, it is case sensitive! Quite often people have not forgotten the password, they are just using the wrong email address or have the wrong capitalization. The final section is the public address. Finally you have something that says “> hashes” what this does is save the results to a file called hashes.

Here is an example:

python3 tezos2john.py 'piece tag panther file invest spread rural rude rally sweet lava goose apology tuna confirm' 'TezosHelp@outlook.com' 'tz1KsyixYbCqXrr8vjckmLDLYBkwGWv46PYZ' > hashes

Fill out your information and press enter.

Not a lot has happened visually, this is because the information was saved to a file. Let’s take a look at that file by typing in the following command and pressing enter.

cat hashes

Now we can see the output. What we are looking for here is that there are no error messages and that it has the correct seed words, email, and public address. This is a great time to verify that everything is spelled correctly, in the right order, and that capitalization is exactly what it looks like on the PDF.

Great! Now that you have verified everything is correct we can use that hashes file to try a few techniques out.

Step 4: Using John The Ripper To Crack Your Password

At this point I am assuming that you are in the run directory in the terminal. See Step 3 if you are not.

Congratulations! At this point you have everything you need to start cracking that password.

At this point all of the guides that use Linux as an example are usable!

Great! But you probably want an example! So lets give two of them.

Example 1: Running the John The Ripper with default settings

Type the following code into the terminal and press enter

./john hashes

We are running . . But isn’t this taking a long time??

OK! At this point John The Ripper is going to try to crack your password. This may take days, months, years, eternity! We can do better and I will talk about that in the second example.

But before I do that I am sure you want to test the progress of your password cracking. Press pretty much any key on the keyboard with the exception of ‘q’. I like pressing the space bar.

I pressed the space bar and got an update.

By pressing the space bar I got the following status line.

0g 0:00:03:49  3/3 0 g/s 1012p/s 1012C/s sinam1..sintr1

You can see that I have been running for 3 minutes and 49 seconds and I am trying about 1012 passwords a second.

This is going to take a very long time. A very very long time.

So what can we do to improve the situation? If you remember any part of your password, how it is structured, or even if you never use characters, it can aid in reducing the number of combinations that you need to guess.

Example 2: A simple masking example

This next example will crack the password faster if you know at least something about the password.

For this example here is information the person said:

All of my password have the same pattern. I pick a random symbol, , then my dog’s name “Fluffy”, then a year or area code or zip code, I cant remember but it is anywhere from two to five numbers! Fluffy could be “Fluffy” “fluffy” or “7luffy”

OK this sounds like a good candidate for a mask. A mask is a template that we can use to guide John The Ripper.

The mask for this one will look like the following:

--mask=?s[Ff7]luffy?d

So what does this mean, You can check out the guide for John The Ripper’s Masks, this will give you more information on all of the options. I am going to break it down here. The beginning “?s” tells john that there is a symbol in this slot. “?l” says that there is a lowercase letter in the second slot. The third slot should be either F, f, or 7 this is represented by “[Ff7]”. We know the next few characters so we just write them out “luffy”. Finally we know it ends with anywhere from two to five digits. So I jut but down “?d”. Wait that doesn’t make sense I wanted 2 to 5 digits and that is only 1! Correct, now were are going to set a min and max length. When the max length exceed the mask’s length, then the last variable in the mask is repeated.

--mask=?s?l[Ff7]luffy?d --min-length=9 --max-length=12

This is the point in which you want to read all of the guides out there on masking and other techniques for cracking your password. Feel free to ask me questions.

I am going to add one more thing here. I have a really slow computer or the password I am trying to crack is going to take a lot of time. If my computer crashes or I want to pause for a while I don’t want to loose my progress. To save it I am going to setup a “session”.

--session=TryFluff

So I put it all together and my final command will look like this:

./john hashes --session=TryFluff --mask=?s[Ff7]luffy?d --min-length=9 --max-length=12

When it is running you can get status updates by pushing the space bar. It will also give you status updates when it completes and moves onto the next “length”. This ETA is only for the current length and not the total duration for all lengths.

At this point I needed to stop for some reason. Instead of starting over I can just resume the session.

note: If you give the original command with the instructions it will overwrite your progress!

Use the following command to resume:

./john --restore=TryFluff

At this point we are off and running again. We did not loose any of our progress because we resumed our session.

Step 5: Wait, . . . seriously this takes a long long time!

This is the hard part, waiting. The more you know about your password, the more you understand how to use masks and other options, the better your computer/GPU is, the less time it will take, but it still takes a very, very, very long time.

Your best bet is to improve the masks or rules. This is much more effective then using poor masks and rules on a super computer. Please take the time to learn more and ask questions. The Tezos XTZ Recovery group on Telegram is a great resource.

Tezos XTZ Recovery

I have been using a 256 core CPU (Xeon Phi) in an attempt to crack my password since the beginning. I am also brushing off my VHDL skills to attempt an efficient FPGA solution to increase the hash rate.

So far I have been unsuccessful in trying to crack my password, and it is a long shot due to the complexity of the randomly generated long password I used. I am unlikely to recover my password, which moves me to the next step.

Step 6: Fight for a governance change!

For those who are in the same boat I am, the only real hope is to issue a governance change that will invalidate the original addresses specified in the genesis block and issue new addresses to those who have submitted sufficient proof of ownership. There will need to be sufficient time to do this and it will cost to pay an organization to validate and do the work, but it is very doable. How it is doable is for another article.

Step 7: You are able to crack your password!

When you crack your password it will be stored in the john.pot file. It will also be printed on the screen.

In the above screenshot you can see that John The Ripper cracked the password! It may be difficult to see so lets look into the stored password file to check.

./john hashes --show

dummy:@Fluffy1234

The first part dummy is just a placeholder for the tool, the password is “@Fluffy1234”

Congratulations you got your password, now lets move your funds to a secure address you control.

Move your coins to some address you control! Do not keep them in your ICO address!

If you are lucky enough to crack your password. I suggest that you immediately move your coins to a new address that you control. Using a Ledger Nano S with your seed backed up to multiple locations is suggested.

I hope that this helps you. If you have any questions please do not hesitate to contact me.

tz1WYZrE1Lhd5cgh4vzUhJB1UBNGEdekbskQ